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HostldMapping ::= SEQUENCE { 

hostName [1] IMPLICIT lABString, 

subjectID IMPLICIT IA5String, 

proof Of IdPossession IdProof OPTIONAL } 

IdProof : : = SEQUENCE { 

secret OCTET STRING, 

encryptionAlgorithm OBJECT IDENTIFIER } 
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Certificate ::= SEQUENCE 
tbsCertif icate 
signatureAlgorithm 
signature 



TBSCert if icate, 
Algorithmldentif ier , 
BIT STRING } 



TBSCertif icate ::= SEQUENCE { 



version [0] 
serialNumber 
signature 
issuer 
validity- 
sub j ect 

subj ectPublicKeyInf o 
issuerUniquelD [1] 
subj ectUniquelD [2] 
extensions [3] 



Version DEFAULT vl, 
Certif icateSerialNumber , 
Algorithmldentif ier , 
Name , 
Validity, 
Name , 

Subj ect PublicKeylnfo, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL } 



Version ::= INTEGER { vl(0), v2(l), v3(2) } 



Certif icateSerialNumber 

Validity ::= SEQUENCE { 
notBef ore 
notAfter 

Time : := CHOICE { 
utcTime 
generalTime 

Uniqueldentif ier : : 

Subj ect PublicKeylnfo : 
algorithm 
subjectPublicKey 



: = INTEGER 



Time , 
Time } 



UTCTime , 

GeneralizedTime } 



BIT STRING 



SEQUENCE { 

Algorithmldentif ier , 
BIT STRING } 



Extensions SEQUENCE SIZE (1..MAX) OF Extension 

Extension ::= SEQUENCE { 



extnID 

critical 

extnValue 



OBJECT IDENTIFIER, 
BOOLEAN DEFAULT FALSE, 
OCTET STRING } 



FIG. 5 

(PRIOR ART) 



U.S. Serial Number 09/667,090 Atty. Docket # AUSg-2000-0255-US1 

Benantar et al. 

Method and system for coupling an X.509 digital certificate with a host identity 



5/7 



USER 
PUBLIC KEY 
704 

0=3> 



USER 
PRIVATE KEY 
706 




702 



X.509 CERTIFICATE 
722 



USER PUBLIC KEY 
(SIGNED) 
724 



HQSTID MAPPING 
(ENCRYPTED FOR HOST) 
726 



REQUEST FOR CERTIFICATE 
712 



USER 
PUBLIC KEY 
704 



HOSTID MAPPING 
(ENCRYPTED FOR CA) 
714 



X.509 CERTIFICATE 
722 



USER PUBLIC KEY 
(SIGNED) 
724 



HOSTID MAPPING 
(ENCRYPTED FOR HOST) 
726 



HOST SYSTEM 
700 



HOST 




HOST 


PUBLIC 




PRIVATE 


KEY 




KEY 


728 




730 





CERTIFYING 
AUTHORITY 
716 



CA 

PUBLIC KEY 
718 



CA 

PRIVATE KEY 
720 



NETWORK 
DIRECTORY 
710 



HOST X.509 
CERTIFICATE 
708 



AUTHENTICATION DATA 
732 

IDENTITY 
PASSWORD 



LEGACY 
APPLICATION 
734 



FIG. 7 



U.S. Serial Number 09/667,090 Atty. Docket # AUS9-2000-0255-US1 

Benantar et al. 

Method and system for coupling an X.509 digital certificate with a host identity 



( BEGIN ~^ 



CLIENT SYSTEM GENERATES/OBTAINS 
CLIENT PUBLIC/PRIVATE KEY PAIR 
802 



CLIENT OBTAINS PUBLIC KEY OF 
CERTIFYING AUTHORITY (CA) 
804 



CLIENT ENCRYPTS HOST IDENTITY 
MAPPING INFORMATION USING 
CA PUBLIC KEY 
806 



CLIENT GENERATES CERTIFICATE 
REQUEST CONTAINING CLIENT PUBLIC 
KEY AND ENCRYPTED HOST IDENTITY 
MAPPING INFORMATION 
808 





f 


CLIENT SENDS CERTIFICATE REQUEST 
TO CERTIFYING AUTHORITY 
810 




r 



CLIENT RECEIVES AND STORES X.509 



CERTIFICATE CONTAINING SIGNED 
CLIENT PUBLIC KEY AND HOST 

IDENTITY MAPPING INFORMATION 
THAT WAS ENCRYPTED USING 
PUBLIC KEY OF HOST SYSTEM 
812 



( END ^ 



FIG. 8A 



( BEGIN ) 



CERTIFYING AUTHORITY (CA) 
RECEIVES CLIENT CERTIFICATE 
REQUEST CONTAINING CLIENT PUBLIC 
KEY AND ENCRYTPED HOST IDENTITY 
MAPPING INFORMATION 
■ 820 





r 


CA VERIFIES IDENTITY OF 
REQUESTING CLIENT 
822 




r 


CA OBTAINS HOST PUBLIC KEY 
826 


> 


r ^ 



CA DECRYPTS ENCRYPTED HOST 
IDENTITY MAPPING INFORMATION 
USING CA PRIVATE KEY 
828 



i 

CA ENCRYPTS HOST IDENTITY 
MAPPING INFORMATION USING 
HOST PUBLIC KEY 
830 



CA GENERATES AND SIGNS 
CLIENT CERTIFICATE CONTAINING 
SIGNED CLIENT PUBLIC KEY AND 
ENCRYPTED HOST IDENTITY 
MAPPING INFORMATION 
832 





r 


CA SENDS CERTIF 

8: 


=ICATE TO CLIENT 
)4 



( END ) 



FIG. 8B 



U.S. Serial Number 09/667,090 Atty. Docket # AUS9-2000-0255-US1 

Benantar et al. 

Method and system for coupling an X.509 digital certificate with a host identity 

7/7 



BEGIN ^ 



CLIENT PRESENTS X.509 CERTIFICATE CONTAINING 
ENCRYPTED HOST IDENTITY MAPPING INFORMATION 
TO HOST SYSTEM 
840 



1 


r 


HOST SYSTEM VERIFIES CLIENT CERTIFICATE 
842 




f 



HOST SYSTEM DECRYPTS ENCRYPTED 
HOST IDENTITY MAPPING INFORMATION 
USING HOST PRIVATE KEY 
844 



HOST SYSTEM OBTAINS HOST IDENTITY OF 
CERTIFICATE HOLDER AND ASSOCIATED SECRET 
INFORMATION (E.G., PASSWORD) FROM HOST 
IDENTITY MAPPING INFORMATION 
846 



HOST SYSTEM USES HOST IDENTITY AND 
ASSOCIATED SECRET INFORMATION FOR 
AUTHENTICATION OF CLIENT (CERTIFICATE HOLDER) 
ON ANOTHER SYSTEM OR APPLICATION 
848 



CLIENT USES SERVICES 
ON SYSTEM OR APPLICATION ON WHICH 
CLIENT HAS BEEN AUTHENTICATED 
850 



( END ~^ 



FIG. 8C 



